Companies on High Alert for Unemployment Fraud

Proactive Measures to Thwart Unemployment Fraud

In the past few months, the TrustedSec Incident Response team has responded to several incidents of unemployment benefit fraud. Due to the pandemic and nationwide lockdowns, there has been an extremely high volume of unemployment claims submitted across the United States, and with greater instances of fraud making it difficult for states to investigate, there is high confidence that the fraudulent unemployment claims are due to increased crime group activity. Issues that stem from this form of fraud can include employee information being leaked, stolen, or bought and sold within darknet marketplaces and forums.

Bank of America estimated that fraud in California’s unemployment benefits system alone could now total $2 billion in losses. Bank of America identified 640,000 accounts with suspicious activity that need to be investigated. Making matters potentially worse, multiple reports indicate that more than 533 million Facebook users were recently hacked, and their private data was released to a hacking forum. According to Business Insider, the hack affects users from 106 countries, including more than 32 million people in the U.S.

Information Gathering Methods for Unemployment Fraud

Generally, traditional forms of social engineering, such as phishing emails targeted at senior leadership, had been the main avenues of reconnaissance and attack.  However, a new method has emerged. Cybercriminals have evolved into selling tutorials on filing a fraudulent claim or obtaining access to taxpayers’ unemployment relief accounts via darknet or criminal forums.  

This transfer of knowledge occurs via applications such as Telegram that provide cloud-based anonymous messaging and a repository of tips and advice. Currently, there is a step-by-step playbook that scammers can follow. Tutorials and methods related to conducting unemployment fraud are selling for anywhere between $5 to $100, depending on the targeted state. Databases of hacked information will typically charge $2 in cryptocurrency for the date of birth and Social Security number of their targets, making the overall investment very low. 

Scammers rely on people who have not already filed on their own to follow these methods to file their fictitious claims. In some cases, it’s as simple as filing a claim.  In others where the state requires additional information, they will simply use public aggregation websites such as Verified or Truthfinder to get the information they need. This can include vehicles driven, familial maiden names, locations lived, and even dating profiles. Money will then be laundered through online accounts and people with legitimate U.S. bank accounts.  Because of the easy success of the fraud at scale, this method will continue to gain traction.

What Role do Employers Play?

Fortunately, of the incidents TrustedSec has investigated, all have resulted in the same findings: There was no internal compromise or compromise from an associated (cloud) service (such as ADP, Paychex, etc.) that manages employee PII. Peers at other firms have had similar findings. The core issue has resided outside of the organization’s borders, which unfortunately is something that many organizations have minimal control over. At most, the individual victims may be targeted through spear-phishing attack, which can lead to personal information compromise.

A few actions that TrustedSec recommends to ensure your organization is on top unemployment fraud are: